Australian Digital Forensics ConferenceCopyright (c) 2018 Edith Cowan University All rights reserved.http://ro.ecu.edu.au/adf
Recent documents in Australian Digital Forensics Conferenceen-usTue, 13 Feb 2018 19:02:50 PST3600Proceedings of the 15th Australian Digital Forensics Conference, 5-6 December 2017, Edith Cowan University, Perth, Australiahttp://ro.ecu.edu.au/adf/175
http://ro.ecu.edu.au/adf/175Tue, 30 Jan 2018 19:52:43 PST
Conference Foreword This is the sixth year that the Australian Digital Forensics Conference has been held under the banner of the Security Research Institute, which is in part due to the success of the security conference program at ECU. As with previous years, the conference continues to see a quality papers with a number from local and international authors. 8 papers were submitted and following a double blind peer review process, 5 were accepted for final presentation and publication. Conferences such as these are simply not possible without willing volunteers who follow through with the commitment they have initially made, and I would like to take this opportunity to thank the conference committee for their tireless efforts in this regard. These efforts have included but not been limited to the reviewing and editing of the conference papers, and helping with the planning, organisation and execution of the conference. Particular thanks go to those international reviewers who took the time to review papers for the conference, irrespective of the fact that they are unable to attend this year. To our sponsors and supporters a vote of thanks for both the financial and moral support provided to the conference. Finally, to the student volunteers and staff of the ECU Security Research Institute, your efforts as always are appreciated and invaluable.

]]>
Craig ValliA centralised platform for digital forensic investigations in cloud-based environmentshttp://ro.ecu.edu.au/adf/174
http://ro.ecu.edu.au/adf/174Tue, 30 Jan 2018 19:43:26 PST
Forensic investigations of digital media traditionally involve seizing a device and performing a forensic investigation. Often legal and physical obstructions must be overcome so that the investigator has access to the device and the right to secure it for investigation purposes. Taking a forensic image of a hard disk may need to be done in the field but analysis can usually be performed at a later time. With the rapid increase in hard disk size, the acquiring of a forensic image can take hours or days. This poses significant issues for forensic investigators when potential evidence resides in the cloud. What is highly desirable is the ability to perform the acquisition of the image and the data recovery whilst the data remains in the cloud. The comparatively small amount of recovered data can then be downloaded from the cloud. This may solve legal, time and physical obstacles with one relatively simple method. This research describes the development of cloud-based software to perform a digital forensic investigation in the cloud and describes the efficiency of the process under several different configurations utilising Amazon Web Services cloud solutions.
]]>
Shaunak Mody et al.Analysis of attempted intrusions: intelligence gathered from SSH Honeypotshttp://ro.ecu.edu.au/adf/173
http://ro.ecu.edu.au/adf/173Tue, 30 Jan 2018 19:38:37 PST
Honeypots are a defensive cyber security countermeasure used to gather data on intruder activities. By analysing the data collected by honeypots, mitigation strategies for cyberattacks launched against cyber-enabled infrastructures can be developed. In this paper, intelligence gathered from six Secure Shell (SSH) honeypots is presented. The paper is part of an ongoing investigation into analysing malicious activities captured by the honeypots. This paper focuses on the time of day attempted intrusions have occurred. The honeypot data has been gathered from 18th July 2012 until 13th January 2016; a period of 1,247 days. All six honeypots have the same hardware and software configurations, located on the same IPv4/24 subnet. Preliminary analysis of the data from all six hosts has been combined to show the number of attempted intrusions recorded by each honeypot and the top 20 countries attacking IP addresses have originated from. However, there is a variation in the number of attempted intrusions recorded on each of the six hosts. Findings from the research conducted suggest, there is a pattern of organised attempted intrusions from attacking IP addresses originating from China and Hong Kong during an 8am to 6pm working day. An additional investigation into the possible use of organised attacking workforces was conducted.
]]>
Priya Rabadia et al.A framework for forensic reconstruction of spontaneous ad hoc networkshttp://ro.ecu.edu.au/adf/172
http://ro.ecu.edu.au/adf/172Tue, 30 Jan 2018 19:38:32 PST
Spontaneous ad hoc networks are distinguished by rapid deployment for a specific purpose, with no forward planning or pre-design in their topology. Often these networks will spring up through necessity whenever a network is required urgently but briefly. This may be in a disaster recovery setting, military uses where often the network is unplanned but the devices are pre-installed with security settings, educational networks or networks created as a one-off for a meeting such as in a business organisation. Generally, wireless networks pose problems for forensic investigators because of the open nature of the medium, but if logging procedures and pre-planned connections are in place, past messages, including nefarious activity can often be easily traced through normal forensic practices. However, the often urgent nature of the spontaneous ad hoc communication requirements of these networks leads to the acceptance onto the network of anyone with a wireless device. Additionally, the identity of the network members, their location and the numbers within the network are all unknown. With no centre of control of the network, such as a central server or wireless access point, the ability to forensically reconstruct the network topology and trace a malicious message or other inappropriate or criminal activity would seem impossible. This research aims to demonstrate that forensic reconstruction is possible in these types of networks and the current research provides initial results for how forensic investigators can best undertake these investigations.
]]>
Alastair NisbetISEEK, a tool for high speed, concurrent, distributed forensic data acquisitionhttp://ro.ecu.edu.au/adf/171
http://ro.ecu.edu.au/adf/171Tue, 30 Jan 2018 18:32:58 PST
Electronic discovery (also written as e-discovery or eDiscovery) and digital forensics are processes in which electronic data is sought, located, secured, and processed with the expectation that it may be used as evidence in legal proceedings. Electronic evidence plays a fundamental role in many aspects of litigation (Stanfield, 2009). However, both eDiscovery and digital forensic approaches that rely on the creation of an index as part of their processing are struggling to cope with the huge increases in hard disk storage capacity. This paper introduces a novel technology that meets the existing and future data volume challenges faced by practitioners in these areas. The technology also addresses the concerns of those responsible for maintaining corporate networks as it does not require installation of ‘agents’ nor does it have any significant impact on network bandwidth during the search and collection process, even when this involves many computers. The technology is the embodiment of a patented process that opens the way for the development of new functionality, such as the detection of malware, compliance with corporate Information Technology (IT) policies and IT auditing. The technology introduced in this paper has been incorporated into a commercial tool called ISEEK that has already been successfully deployed in a variety of environments.
]]>
Richard Adams et al.Building a dataset for image steganographyhttp://ro.ecu.edu.au/adf/170
http://ro.ecu.edu.au/adf/170Tue, 30 Jan 2018 18:03:14 PST
Image steganography and steganalysis techniques discussed in the literature rely on using a dataset(s)created based on cover images obtained from the public domain, through the acquisition of images from Internet sources, or manually. This issue often leads to challenges in validating, benchmarking, and reproducing reported techniques in a consistent manner. It is our view that the steganography/steganalysis research community would benefit from the availability of common datasets, thus promoting transparency and academic integrity. In this research, we have considered four aspects: image acquisition, pre-processing, steganographic techniques, and embedding rate in building a dataset for image steganography.
]]>
Chris Woolley et al.A methodology for the forensic acquisition of the TomTom One satellite navigation System - A research in progresshttp://ro.ecu.edu.au/adf/169
http://ro.ecu.edu.au/adf/169Mon, 30 Oct 2017 01:22:42 PDT
The use of Satellite Navigation Systems (SNS) has become increasingly common in recent years. The wide scale adoption of this technology has the potential to provide a valuable resource in forensic investigations. The potential of this resource is based on the ability to retrieve historical location data from the device in question while maintaining forensic integrity. This paper presents a methodology to acquire forensc images of the TomTom One satellite navigation unit. This methodology aims to be comprehensive and straightforward, while maintaining forensic integrity of the original evidence. However, in consideration of the aforementioned methodology, ti should be noted that the defined method may not extract all potential evidence and the viability of collected evidence is dependent on future research into the analysis of said evidence. In order to address this consideration, research into this area is currently ongoing.
]]>
Peter HannaySurvey on remnant data research: the artefacts recovered and the implications in a cyber security conscious worldhttp://ro.ecu.edu.au/adf/168
http://ro.ecu.edu.au/adf/168Tue, 14 Feb 2017 23:54:23 PST
The prevalence of remnant data in second hand storage media is well documented. Since 2004 there have been ten separate papers released through Edith Cowan University alone. Despite numerous government agencies providing advice on securing personal and corporate information, and news articles highlighting the need for data security, the availability of personal and confidential data on second hand storage devices is continuing, indicating a systemic laissez faire attitude to data security, even in our supposedly cyber security conscious world. The research continues, but there seems to be a lack of correlation of these studies to identify trends or common themes amongst the results. The fact that this type of research continues to be conducted highlights the deficiencies in the methods used to advertise warnings publicised by Government departments and industry experts. Major media organisations seem reluctant to broadcast these warnings, unless there is a bigger story behind the issue. This paper highlights the ongoing issues and provides insight to the factors contributing to this growing trend.
]]>
Michael James et al.Establishing effective and economical traffic surveillance in Tongahttp://ro.ecu.edu.au/adf/167
http://ro.ecu.edu.au/adf/167Tue, 14 Feb 2017 23:46:58 PST
The Pacific Islands are seriously challenged by the growth in wealth and the expansion of international material possessions. On the roads traffic has grown dramatically and the types of vehicles now using Island roads has greatly changed. With the importation of cheap second hand vehicles designed for freeway speeds serious safety issues have grown proportionally with the increasing numbers. In this research we consider the prohibitive costs of traditional traffic controls to economy and propose a light weight highly mobile aerial surveillance system that integrates with ground policing capability. Our research question was: How can road safety and security be enhanced with economical technologies? In addition to collecting and processing live data we have also designed a forensically ready system, and an information system to process the large amounts of data generated by the addition of these technologies into the traffic surveillance processes.
]]>
Brian Cusack et al.An exploration of artefacts of remote desktop applications on Windowshttp://ro.ecu.edu.au/adf/166
http://ro.ecu.edu.au/adf/166Tue, 14 Feb 2017 23:33:20 PST
Remote Desktop Applications (RDA) such as Virtual Network Computing (VNC), Cisco WebEx, GoToMeeting and LogMeIn have been adapted and utilised recently. This is because they facilitate tier-one support to configure computers, networks and solve application-related issues from a remote location. The direct benefit from the use of these applications, is the time (and therefore cost) saving for organisations. Unfortunately, “remoting” technology can also be used by criminals to perform illegal activities, hence remote applications are of key interest to law agencies and forensic investigators. The research outlined in this paper aims to identify any artefacts left behind by common remote applications and technologies used by many firms. These artefacts can be vital to government law enforcement agencies and forensic investigators, as they could be used as evidence in cyber-crime investigations. This research will focus on RealVNC, TightVNC, Cisco WebEx, GoToMeeting and LogMeIn applications. The findings from the research shows some artefacts left behind by the applications, which can be used by forensics investigators or law enforcement for possible evidence.
]]>
Paresh Kerai et al.A forensic examination of several mobile device Faraday bags & materials to test their effectivenesshttp://ro.ecu.edu.au/adf/165
http://ro.ecu.edu.au/adf/165Tue, 14 Feb 2017 23:23:04 PST
A Faraday bag is designed to shield a mobile phone or small digital device from radio waves entering the bag and reaching the device, or to stop radio waves escaping through the bag from the device. The effectiveness of these shields is vital for security professionals and forensic investigators who seize devices and wish to ensure that their contents are not read, modified or deleted prior to a forensic examination. This research tests the effectiveness of several readily available Faraday bags. The Faraday bags tested are all available through online means and promise complete blocking of all signals through the bag. Additionally, other materials that can be used if a Faraday bag is not available, such as tin foil and a tin can are tested and compared with the Faraday bags. A selection of common mobile phones from various manufacturers is tested in the shielding material. Additionally, 3G / 4G, WiFi and Bluetooth are tested with the bags and materials on those so equipped devices to ascertain whether the material blocks all signals from communicating technologies on the phones. Results show that performance of the bags is not as promised by most vendors and that in urgent situations other materials at hand may suffice to perform the same function as a Faraday bag.
]]>
Ashleigh Lennox-Steele et al.Google earth forensics on IOS 10’s location servicehttp://ro.ecu.edu.au/adf/164
http://ro.ecu.edu.au/adf/164Tue, 14 Feb 2017 23:01:08 PST
The easy access and common usage of GNSS systems has provided a wealth of evidential information that may be accessed by a digital forensic investigator. Google Earth is commonly used on all manner of devices for geolocation services and consequently has a wide range of tools that will relate real time and stored GNSS data to maps. As an aid to investigation Google Earth forensics is available for use. An investigator can use it by downloading geolocation data from devices and placing it on Google Earth maps, place geolocation data on historical archival maps, or by direct usage of the application in a device. In this paper we review the Google Earth forensics tool and use a simplistic scenario to demonstrate the power of the application for courtroom walk-throughs. The entry-level tool is free and can be used effectively to enhance the presentation of geolocation data.
]]>
Brian Cusack et al.Improving forensic software tool performance in detecting fraud for financial statementshttp://ro.ecu.edu.au/adf/163
http://ro.ecu.edu.au/adf/163Tue, 14 Feb 2017 22:51:05 PST
The use of computer forensics is important for forensic accounting practice because most accounting information is in digital forms today. The access to evidence is increasingly more complex and in far greater volumes than in previous decades. The effective and efficient means of detecting fraud are required for the public to maintain their confidence in the reliability of accounting audit and the reputation of accounting firms. The software tools used by forensic accounting can be called into question. Many appear inadequate when faced with the complexity of fraud and there needs to be the development of automated and specialist problem-solving forensic software. In this paper we review the context of forensic accounting and the potential to develop improved support tools. The recommendation is for adopting financial ratio analysis as the basis for an improved fraud detection software.
]]>
Brian Cusack et al.Memory forensic data recovery utilising RAM cooling methodshttp://ro.ecu.edu.au/adf/162
http://ro.ecu.edu.au/adf/162Tue, 14 Feb 2017 22:32:35 PST
Forensic investigations of digital devices is generally conducted on a seized device in a secure environment. This usually necessitates powering down the device and taking an image of the hard drive or semi-permanent storage in the case of solid state technology. Guidelines for forensic investigations of computers advise that the computer should be shut down by removing the power supply and thereby maintaining the hard disk in the state it was in whilst running. However, valuable forensic evidence often exists in the volatile memory which is lost when this process is followed. The issues of locked accounts on running computers and encrypted files present particular difficulties for forensic investigators who wish to capture a forensic image of the RAM. This research involves freezing RAM removed from a running computer so that it can later be reinserted into an unlocked computer allowing for a forensic image of the RAM to be captured. Three different methods of cooling the RAM are compared, along with varying delays in RAM reinsertion. The results provide a guideline for forensic investigators on how the issues with locked accounts and encryption may be overcome to record this valuable evidence that is otherwise lost.
]]>
Kedar Gupta et al.Detecting and tracing slow attacks on mobile phone user servicehttp://ro.ecu.edu.au/adf/161
http://ro.ecu.edu.au/adf/161Tue, 14 Feb 2017 00:30:39 PST
The lower bandwidth of mobile devices has until recently filtered the range of attacks on the Internet. However, recent research shows that DOS and DDOS attacks, worms and viruses, and a whole range of social engineering attacks are impacting on broadband smartphone users. In our research we have developed a metric-based system to detect the traditional slow attacks that can be effective using limited resources, and then employed combinations of Internet trace back techniques to identify sources of attacks. Our research question asked: What defence mechanisms are effective? We critically evaluate the available literature to appraise the current state of the problem area and then propose an innovative solution for the detection and investigation of attacks.
]]>
Brian Cusack et al.The Proceedings of 14th Australian Digital Forensics Conference, 5-6 December 2016, Edith Cowan University, Perth, Australiahttp://ro.ecu.edu.au/adf/160
http://ro.ecu.edu.au/adf/160Tue, 14 Feb 2017 00:20:55 PST
Conference Foreword

This is the fifth year that the Australian Digital Forensics Conference has been held under the banner of the Security Research Institute, which is in part due to the success of the security conference program at ECU. As with previous years, the conference continues to see a quality papers with a number from local and international authors. 11 papers were submitted and following a double blind peer review process, 8 were accepted for final presentation and publication. Conferences such as these are simply not possible without willing volunteers who follow through with the commitment they have initially made, and I would like to take this opportunity to thank the conference committee for their tireless efforts in this regard. These efforts have included but not been limited to the reviewing and editing of the conference papers, and helping with the planning, organisation and execution of the conference. Particular thanks go to those international reviewers who took the time to review papers for the conference, irrespective of the fact that they are unable to attend this year.

To our sponsors and supporters a vote of thanks for both the financial and moral support provided to the conference. Finally, to the student volunteers and staff of the ECU Security Research Institute, your efforts as always are appreciated and invaluable. Yours sincerely, Conference Chair Professor Craig Valli Director, Security Research Institute

]]>
Craig ValliCyber Blackbox for collecting network evidencehttp://ro.ecu.edu.au/adf/159
http://ro.ecu.edu.au/adf/159Sun, 21 Feb 2016 21:40:13 PST
In recent years, the hottest topics in the security field are related to the advanced and persistent attacks. As an approach to solve this problem, we propose a cyber blackbox which collects and preserves network traffic on a virtual volume based WORM device, called EvidenceLock to ensure data integrity for security and forensic analysis. As a strategy to retain traffic for long enough periods, we introduce a deduplication method. Also this paper includes a study on the network evidence which is collected and preserved for analyzing the cause of cyber incident. Then, a method is proposed to suggest a starting point for incident analysis to a forensic practitioner who has to investigate on the vast amount of network traffic collected using the cyber blackbox. Experimental results show this approach is effectively able to reduce the amount of data to search by dividing doubtful flows from normal traffic. Finally, we discuss the results with the forensically meaningful point of view and present further works.
]]>
Jooyoung Lee et al.File system modelling for digital triage: An inductive profiling approachhttp://ro.ecu.edu.au/adf/158
http://ro.ecu.edu.au/adf/158Sun, 21 Feb 2016 21:09:18 PST
Digital Triage is the initial, rapid screening of electronic devices as a precursor to full forensic analysis. Triage has numerous benefits including resource prioritisation, greater involvement of criminal investigators and the rapid provision of initial outcomes. In traditional scientific forensics and criminology, certain behavioural attributes and character traits can be identified and used to construct a case profile to focus an investigation and narrow down a list of suspects. This research introduces the Triage Modelling Tool (TMT), that uses a profiling approach to identify how offenders utilise and structure files through the creation of file system models. Results from the TMT have proven to be extremely promising when compared to Encase’s similar in-built functionality, which provides a strong justification for future work within this area.
]]>
Benjamin Rice et al.Mobile device damage and the challenges to the modern investigatorhttp://ro.ecu.edu.au/adf/157
http://ro.ecu.edu.au/adf/157Sun, 21 Feb 2016 21:04:09 PST
Mobile Forensics has developed into an area of significant concern to law enforcement agencies and their counterparts, specifically as a result of individuals moving away from using traditional computers and focusing attention on their mobile device. Due to the smart phone being almost permanently attached to the person or in near proximity, it has become a significant source of information for investigators and can mean the difference between proving guilt or innocence. Tools have long been established, which provide agencies the ability to encapsulate expertise, which allows the easy download and production of reports for the mobile device and how it was used. However, whilst these tools work for the majority of devices in near perfect working condition they fail in cases where the phone is even slightly damaged. Many of the tools also require the investigator to unlock the phone or enable a feature before it can be downloaded. Should part of the phone be malfunctioning or if it prevents a feature or unlock from occurring, the ability to obtain forensic evidence will be reduced. Whilst devices can be surprisingly resilient at times, damage by throwing the device into a fire or snapping the logic board in half, will ultimately cause the device to be inoperable and beyond repair. The question therefore arises: How can the investigator even identify the model of device, considering parts of the device, including identification stickers, may have melted off or be missing? In such scenarios repairing the phone via changing the majority of the hardware from ‘donor’ phone cannot be conducted, as they are beyond repair. There is also no chance of being able to re-join the parts of a double or triple layer logic board and a re-joining a single layer logic board is both time and labour intensive. Even then there is no guarantee the phone will work again. To address these difficulties, significant monetary value needs to be invested in equipment and training to equip forensic investigators with the skills and ability in Chip-Off forensics and Ball Grid Array (BGA) rework. These skills mean the small chips from the logic board can be removed without causing damage to their delicate legs or body, enabling the data they contain to be interpreted. Once interpreted, the investigator then has the ability to find what evidence was located on the device and hopefully leading to a conviction of guilt.
]]>
Dan BlackmanImage similarity using dynamic time warping of fractal featureshttp://ro.ecu.edu.au/adf/156
http://ro.ecu.edu.au/adf/156Sun, 21 Feb 2016 20:58:52 PST
Hashing algorithms such as MD/SHA variants have been used for years by forensic investigators to look for known artefacts of interest such as malicious files. However, such hashing algorithms are not effective when their hashes change with the slightest alteration in the file. Fuzzy hashing overcame this limitation to a certain extent by providing a close enough measure for slight modifications. As such, image forensics is an essential part of any digital crime investigation, especially in cases involving child pornography. Unfortunately such hashing algorithms can be thwarted easily by operations as simple as saving the original file in a different image format. This paper introduces a novel technique for measuring image similarity using Dynamic Time Warping (DTW) of fractal features taken from the frequency domain. DTW has traditionally been used successfully for speech recognition. Our experiments have shown that it is also effective for measuring image similarity while tolerating minor modifications, which is currently not capable by state-of-the-art tools.
]]>
Ahmed Ibrahim et al.